CCPA regulations

Clarifying the $25 Million Threshold in the Final CCPA Regulations

On August 14, 2020, the Office of Administrative Law (“OAL”) approved the California Department of Justice’s final California Consumer Privacy Act (“CCPA”) regulations and filed them with the California Secretary of State. Prior to approval, some businesses were uncertain as to whether the $25 million revenue threshold was related to revenue generated only from California State sales, California residents, or total global revenues. The California Attorney General’s Office has since clarified that limiting the threshold to revenue generated only in California or from California State residents would be inconsistent with the intended broad reach of the CCPA regulations. 

What businesses are regulated by CCPA Regulations?

Businesses Subject to CCPA Enforcement

The CCPA applies to businesses that: 1) do business in the State of California; 2) collect California State resident personal information; and 3) satisfy at least one of the following thresholds:

  • Have annual gross revenue of over $25 million;
  • Buy, receive, sell or share the personal information of 50,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or
  • Derive 50% or more of annual revenue from selling consumer personal information.

Clarifying that annual gross revenue of over $25 million is calculated on total global revenue (regardless of where the revenue is derived from) instead of revenue from California state sales or California residents subjects many more businesses to CCPA enforcement than some had hoped. 

Compliance with CCPA Regulations

Despite the fact that approval of the final CCPA regulations did not occur until August 14, 2020, enforcement of the CCPA began back on July 1, 2020. If they have not already, businesses must take appropriate measures to now comply with the CCPA. Civil penalties range from $2,500 for a non-intentional CCPA violation, to $7,500 for an intentional violation. Additionally, California consumers can bring private rights of action against businesses for data breaches that have exposed non-encrypted and non-redacted personal information to unauthorized third parties.

As readers of this blog know, the privacy-right activist group, Californians for Consumer Privacy, has qualified the California Privacy Rights Act (“CPRA”) (which some are calling CCPA 2.0) for the November 3, 2020 ballot. If this measure were to be written into law, California would move one step closer to implementing a GDPR-like privacy regime. In the interim, data privacy will continue to be a hot-button issue across the country. As such, businesses must be mindful of the ever-moving compliance target or face the regulatory and financial consequences of enforcement. 

If you require assistance with consumer data privacy compliance for your business, please email us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Photo by Maxim Ilyahov on Unsplash

Related Blog Posts:

CCPA Service Provider Agreements: Accounting for the California Consumer Privacy Act (CCPA)

CCPA Record Keeping Requirements

CCPA Forms: The Right to Opt-Out, Request to Know and Request to Delete


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »